On Wed, 9 Mar 2005 08:35:45 -0500, seb hould <apache.ml@xxxxxxxxx> wrote: > Our webserver is on a RedHat9 IBM e-series. We serve all files from a > smbfs mounted DocumentRoot. Now we just realized that whenever we > appended a "%5C" to any of our URI we could actually see the source > code. > For example "www.somewhere.com/index.php%5C" would let you see the > index.php file's source code. No need to tell you we we're panicking. > In IE which we mostly use for tests, you have to explicitely enter > the code but in Firefox, as soon as you end the URI in a backslash it > interprets it as "%5C". So basically we found it by doing a typo in > Firefox. For the moment I transfered all the files to the webserver > which has an ext2 filesystem and everything works fine but am > wondering if there's anything I could do in the httpd.conf file to > keep on using that setup. We tried denying files ending with a > backslash or "%5c", did'nt work. We also tried using RedirectMatch or > rewrite but it seems no regex works. > Now the only link I can make out of this problem is that smb is a > "windows type" protocol and so is the backslash. But why is it that > when the DocumentRoot is on a Linux based filesystem it appends the > backslash to the file name while on an smbfs it shows the code? You could probably use something like <FilesMatch \.php.+$> Order allow,deny Deny from all </FilesMatch> (or something similar with <LocationMatch>) as long as you don't have any .phpfoo extensions. But you seem to have identified a significant problem with using smbfs in combination with apache, and I wouldn't be confident using that unless I was sure there weren't any other similar problems. I would start by contacting the smbfs developers and asking them about these types of issues. When run under windows, apache is aware about all the funky ways that you can access the same files under different names. If smbfs is extending all those onto unix, then it could create serious problems, because apache has no way of knowing about it. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx